In networks where predominantly Windows clients are found, it is often
preferable that users may only register with a valid account and
password. In a Windows-based network, this task is handled by a primary
domain controller (PDC). You can use a Windows NT server configured as
PDC, but this task can also be done with the help of a Samba server. The
entries that must be made in the [global] section of
smb.conf are shown in
Example 27.3, “Global Section in smb.conf”.
Example 27.3. Global Section in smb.conf
[global]
workgroup = TUX-NET
domain logons = Yes
domain master = Yes
If encrypted passwords are used for verification purposes the Samba
server must be able to handle these. The entry encrypt passwords
= yes in the [global] section enables this
(with Samba version 3, this is now the default). In addition, it is
necessary to prepare user accounts and passwords in an encryption format
that conforms with Windows. Do this with the command
smbpasswd -a name. Create the domain
account for the computers, required by the Windows domain concept, with
the following commands:
useradd hostname\$ smbpasswd -a -m hostname
With the useradd command, a dollar sign is added. The
command smbpasswd inserts this automatically when the
parameter -m is used. The commented configuration
example
(/usr/share/doc/packages/samba/examples/smb.conf.SUSE)
contains settings that automate this task.
add machine script = /usr/sbin/useradd -g nogroup -c "NT Machine Account" \
-s /bin/false %m\$
To make sure that Samba can execute this script correctly, choose a Samba
user with the required administrator permissions. To do so, select one
user and add it to the ntadmin
group. After that, all users belonging to this Linux group can be
assigned Domain Admin status with the command:
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
More information about this topic is provided in Chapter 12 of the
Samba 3 HOWTO, found in
/usr/share/doc/packages/samba/Samba3-HOWTO.pdf.